[
https://issues.apache.org/jira/browse/QPID-6496?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Keith Wall updated QPID-6496:
-----------------------------
Summary: PropertiesFileInitialContextFactory logs properties at INFO which
may allow a password to be logged in clear (was:
PropertiesFileInitialContextFactory logs properties at INFO which may allow a
password to be logged)
> PropertiesFileInitialContextFactory logs properties at INFO which may allow a
> password to be logged in clear
> ------------------------------------------------------------------------------------------------------------
>
> Key: QPID-6496
> URL: https://issues.apache.org/jira/browse/QPID-6496
> Project: Qpid
> Issue Type: Bug
> Components: Java Client
> Affects Versions: 0.8, 0.32
> Reporter: Keith Wall
> Priority: Minor
>
> PropertiesFileInitialContextFactory logs all properties at INFO whilst
> creating the InitialContext. As the properties could include connection
> factory definition(s) and connection factory definitions allow password to be
> embedded within them, this could mean cleartext passwords are logged.
> {noformat}
> connectionfactory.qpidConnectionFactory =
> amqp://user:pass@clientid/?brokerlist='tcp://localhost:5672'
> {noformat}
> This problem will only manifest if logger org.apache.qpid.jndi is enabled at
> INFO or lower. The client offers no mechanism in built mechanism to enable
> this logging (it is delegated to the application).
> It won't affect users specifying credentials using
> ConnectionFactory#createConnection(user,password). Nor does it affect uses
> using authentication mechanisms that do not rely on an client side password
> i.e. SSL client auth, Kerberos.
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
